Magic Winmail Server IMAP commands directory traversal

magic-winmail-command-directory-traversal (19114) The risk level is classified as MediumMedium Risk

Description:

Magic Winmail Server is a POP3 and SMTP server for Microsoft Windows platforms. Magic Winmail Server version 4.0 Build 1112 and possibly earlier versions running on Microsoft Windows 2000 SP4 and Windows XP SP2 could allow a remote attacker to traverse directories, caused by improper validation when processing user supplied IMAP commands. A remote attacker with a valid login could use specially-crafted commands, such as CREATE, EXAMINE, SELECT, or DELETE, to traverse directories and gain access to sensitive information, and possibly create or delete arbitrary directories or files on the server.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of Magic Winmail Server (4.0 Build 1318 or later), available from the Winmail Server Web site. See References.

References:

  • BugTraq Mailing List, Thu Jan 27 2005 - 09:55:44 CST: Magic Winmail Server v4.0 Multiple Vulnerabilities.
  • Winmail Server Web site: Winmail Mail Server - Professional and Easy to Use.
  • BID-12388: Magic Winmail Server Multiple Vulnerabilities
  • CVE-2005-0313: Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or delete arbitrary directories and files via the IMAP commands (3) CREATE, (4) EXAMINE, (5) SELECT, or (6) DELETE.
  • SA14053: Winmail Server Multiple Vulnerabilities
  • SECTRACK ID: 1013017: Magic Winmail Server Input Validation Holes in Webmail and IMAP Services Allow Directory Traversal Attacks

Platforms Affected:

  • AMAX Information Technologies Winmail Server 4.0 (Build 1112)
  • Microsoft Windows 2000 SP4
  • Microsoft Windows XP SP2

Reported:

Jan 27, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page